Allied Telesis AT-WR4500 manual

chain (forward input output postrouting prerouting) - specify the chain to put a particular rule into. As the different traffic is passed through different chains, always be careful in choosing the right chain for a new rule. If the input does not match the name of an already defined chain, a new chain will be created comment (text) - free form textual comment for the rule. A comment can be used to refer the particular rule from scripts

connection-bytes(integer-integer) - match packets only if a given amount of bytes has been transfered through the particular connection

0- means infinity, exempli gratia: connection-bytes=2000000-0means that the rule matches if more than 2MB has been transfered through the relevant connection

connection-limit(integer,netmask) - restrict connection limit per address or address block connection-mark(name) - match packets marked via mangle facility with particular connection mark connection-state(estabilished invalid new related) - interprets the connection tracking analysis data for a particular packet

estabilished - a packet which belongs to an existing connection, exempli gratia a reply packet or a packet which belongs to already replied connection

invalid - a packet which could not be identified for some reason. This includes out of memory condition and ICMP errors which do not correspond to any known connection. It is generally advised to drop these packets

new - a packet which begins a new TCP connection

related - a packet which is related to, but not part of an existing connection, such as ICMP errors or a packet which begins FTP data connection (the later requires enabled FTP connection tracking helper under /ip firewall service-port)

connection-type(ftp gre h323 irc mms pptp quake3 tftp) - match packets from related connections based on information from their connection tracking helpers. A relevant connection helper must be enabled under /ip firewall service-port

content (text) - the text packets should contain in order to match the rule dscp (integer: 0..63) - DSCP (ex-ToS) IP header field value

dst-address(IP address/netmask IP address-IP address) - specify the address range an IP packet is destined to. Note that console converts entered address/netmask value to a valid network address, i.e.:1.1.1.1/24 is converted to 1.1.1.0/24

dst-address-list(name) - match destination address of a packet against user-defined address list dst-address-type(unicast local broadcast multicast) - match destination address type of the IP packet, one of the:

unicast - IP addresses used for one point to another point transmission. There is only one sender and one receiver in this case

local - match addresses assigned to router's interfaces

broadcast - the IP packet is sent from one point to all other points in the IP subnetwork

multicast - this type of IP addressing is responsible for transmission from one or more points to a set of other points

dst-limit(integer/time{0,1},integer,dst-address dst-port src-address{+},time{0,1}) - limit the packet per second (pps) rate on a per destination IP or per destination port base. As opposed to the limit match, every destination IP address / destination port has it's own limit. The options are as follows (in order of appearance):

count - maximum average packet rate, measured in packets per second (pps), unless followed by time option

time - specifies the time interval over which the packet rate is measured burst - number of packets to match in a burst

mode - the classifier(-s) for packet rate limiting

expire - specifies interval after which recorded IP addresses / ports will be deleted dst-port(integer: 0..65535-integer: 0..65535{*}) - destination port number or range fragment (yes no) - whether the packet is a fragment of an IP packet. Starting packet (i.e., first fragment) does not count. Note that is the connection tracking is enabled, there will be no fragments as the system automatically assembles every packet

hotspot (multiple choice: auth from-client http local-dst to-client) - matches packets received from clients against various HotSpot conditions. All values can be negated

auth - true, if a packet comes from an authenticted HotSpotclient from-client- true, if a packet comes from any HotSpot client

http - true, if a HotSpot client sends a packet to the address and port previously detected as his proxy server (Universal Proxy technique) or if the destination port is 80 and transparent proxying is enabled for